The following information was recently posted to a well known information security mailing list.

OpenX adserver version 2.8.1 and lower is vulnerable to remote code execution. To be exploited, this vulnerability requires banner / file upload permissions, such as granted to the ‘advertiser’ and ‘administrator’ roles.

This vulnerability is caused by the (insecure) file upload mechanism of affected OpenX versions. These would check magic bytes of an uploaded file to determine its MIME type, and erroneously assume this information to be reliable. Additionally, while the file name of uploaded files is changed, the file extension is not.

As such, it is possible to upload image files with embedded PHP code and .php file extension. Unless PHP script execution is explicitly prevented for the file upload location (which has not been documented in the OpenX manual so far and it is not the result of a default installation), the PHP code will execute as soon as HTTP access to the file location will cause it to be executed by the web server.

To clarify, an attacker exploiting this security issue does require prior access to OpenX, i.e. exploitation is only possible after successful authentication. On the other hand, advertiser access is a rather low permission level and should not allow for system access.